Руководство По Установке для Cisco Cisco Prime Security Manager 9.0
3
Cisco Systems, Inc.
www.cisco.com
Cisco ASA CX Module Quick Start Guide
Updated: February 18, 2015
1. About the ASA CX Module
The ASA CX module comes as hardware module for the ASA 5585-X and as a software module for the ASA 5500-X. For
ASA model software and hardware compatibility with the ASA CX module, see
ASA model software and hardware compatibility with the ASA CX module, see
The ASA CX module lets you enforce security based on the complete context of a situation. This context includes the
identity of the user (who), the application or website that the user is trying to access (what), the origin of the access
attempt (where), the time of the attempted access (when), and the properties of the device used for the access (how).
With the ASA CX module, you can extract the full context of a flow and enforce granular policies such as permitting
access to Facebook but denying access to games on Facebook or permitting finance employees access to a sensitive
enterprise database but denying the same to other employees.
identity of the user (who), the application or website that the user is trying to access (what), the origin of the access
attempt (where), the time of the attempted access (when), and the properties of the device used for the access (how).
With the ASA CX module, you can extract the full context of a flow and enforce granular policies such as permitting
access to Facebook but denying access to games on Facebook or permitting finance employees access to a sensitive
enterprise database but denying the same to other employees.
The ASA CX module runs an application that is separate from the ASA. Configuring the ASA CX module requires two
parts: the ASA CX policy configuration, using Cisco Prime Security Manager (PRSM); and the ASA policy for redirecting
traffic to the ASA CX module, using ASDM.
parts: the ASA CX policy configuration, using Cisco Prime Security Manager (PRSM); and the ASA policy for redirecting
traffic to the ASA CX module, using ASDM.
Traffic undergoes the firewall checks on the ASA before being forwarded to the ASA CX module. When you identify traffic
for ASA CX inspection on the ASA, traffic flows through the ASA and the ASA CX module as described in the following
steps:
for ASA CX inspection on the ASA, traffic flows through the ASA and the ASA CX module as described in the following
steps:
1.
Traffic enters the ASA.
2.
Incoming VPN traffic is decrypted.
3.
Firewall policies are applied.
4.
Traffic is sent to the ASA CX module.
5.
The ASA CX module applies its security policy to the traffic, and takes appropriate actions.
6.
Valid traffic is sent back to the ASA; the ASA CX module might block some traffic according to its security policy,
and that traffic is not passed on.
and that traffic is not passed on.
7.
Outgoing VPN traffic is encrypted.
8.
Traffic exits the ASA.
The following figure shows the traffic flow when using the ASA CX module. In this example, the ASA CX module
automatically blocks traffic that is not allowed for a certain application. All other traffic is forwarded through the ASA.
automatically blocks traffic that is not allowed for a certain application. All other traffic is forwarded through the ASA.